Intrusion detection systems are used by an enterprise to detect and identify unauthorized or unwanted use (commonly called an attack) of the enterprise's computer network, which normally comprises a large number of nodes and network operations centers (NOCs). In general, these enterprise intrusion detection systems scan incoming data for specific patterns in network traffic, audit trails, and other data sources to detect malicious activity. Due to the large quantity of data, conventional intrusion detection systems often use many analysts to evaluate network data with various tool implementations for identifying the patterns, such as finite state machines, simple pattern matching, or specialized algorithms.
Traditional enterprise intrusion detection systems (IDSs) do not include an ability to quickly and dynamically update intrusion signatures at a large number of nodes. Often this is due to the lack of reliable scalability of the IDS and\or poor communication between various components of the IDS across an enterprise. Additionally, conventional IDSs normally do not include the capability to effectively detect or respond to long-term attacks.